15 Jan
2006
15 Jan
'06
1:09 p.m.
Hello,
I am looking for a DNS proxy that allows me to filter which DNS requests
are answered and which ones are dropped.
The software should allow me to specify something like this:
192.168.1.5 "www.yahoo.com","www.google.com"
192.168.1.6 "www.google.com"
meaning that the first machine is allowed to resolve the specified 2
names, and the second only "www.google.com".
Reverse lookups, zone transfers and all kind of "browsing" must be blocked.
I have looked at the bind documentation and although I found the view
concept, this does not appear to allow me to specify a list of allowed
names. Nor have I found an application-level firewall which understands
DNS records.
Does anybody know of such a software?
-pu
15 Jan
15 Jan
1:24 p.m.
Hello Patrick,
I think, the best would be to set up a squid proxy server.
You should then configure the firewall so that only the proxy server can
"browse" on port 80.
On the proxy server, you can easily configure access groups and allow or
deny URL regular expressions.
But you know, if you allow google and deny all other domains, the users
won't be able to follow links in google's search results?
Regards,
Michel
Patrick Useldinger schrieb:
Hello,
I am looking for a DNS proxy that allows me to filter which DNS
requests are answered and which ones are dropped.
The software should allow me to specify something like this:
192.168.1.5 "www.yahoo.com","www.google.com"
192.168.1.6 "www.google.com"
meaning that the first machine is allowed to resolve the specified 2
names, and the second only "www.google.com".
Reverse lookups, zone transfers and all kind of "browsing" must be
blocked.
I have looked at the bind documentation and although I found the view
concept, this does not appear to allow me to specify a list of allowed
names. Nor have I found an application-level firewall which
understands DNS records.
Does anybody know of such a software?
-pu
_______________________________________________
Lilux-help mailing list
Lilux-help(a)lilux.lu
http://lilux.lu/mailman/listinfo/lilux-help
1:34 p.m.
Michel Kohl wrote:
I think, the best would be to set up a squid proxy
server.
You should then configure the firewall so that only the proxy server can
"browse" on port 80.
And then direct DNS requests to port 80?
On the proxy server, you can easily configure access
groups and allow or
deny URL regular expressions.
Would Squid also look inside DNS request and answer packets? I want to
filter DNS requests, not HTTP traffic.
But you know, if you allow google and deny all other
domains, the users
won't be able to follow links in google's search results?
That was just an example. The real application is to provide DNS
services to a DMZ but to filter which DMZ machine can do which name
resolution.
Regards,
-pu
1:54 p.m.
Hello Patrick,
I thought that you would like to restrict users in browsing :)...
A proxy server cannot handle DNS requests, it only gets the DNS
addresses for requested URL from a users who wants to browse...
But I do not really understand, why you only want to restrict DNS usage?
Wouldn't it be easier to let the machines do the DNS lookup, but to
allow in the firewall only connections to google.com and yahoo.com?
You could write your own DNS forwarding service which can restrict them :-).
Did you take a look at sourceforge.net or freshmeat.net for DNS
forwarding services?
Regards,
Michel
Patrick Useldinger schrieb:
Michel Kohl wrote:
I think, the best would be to set up a squid
proxy server.
You should then configure the firewall so that only the proxy server
can "browse" on port 80.
And then direct DNS requests to port 80?
On the proxy server, you can easily configure
access groups and allow
or deny URL regular expressions.
Would Squid also look inside DNS request and answer packets? I want to
filter DNS requests, not HTTP traffic.
But you know, if you allow google and deny all
other domains, the
users won't be able to follow links in google's search results?
That was just an example. The real application is to provide DNS
services to a DMZ but to filter which DMZ machine can do which name
resolution.
Regards,
-pu
2:16 p.m.
Michel Kohl wrote:
A proxy server cannot handle DNS requests, it only
gets the DNS
addresses for requested URL from a users who wants to browse...
Unless it's a DNS proxy ;-) Proxy does not always mean http proxy, it
can be plenty of things.
But I do not really understand, why you only want to
restrict DNS usage?
Wouldn't it be easier to let the machines do the DNS lookup, but to
allow in the firewall only connections to google.com and yahoo.com?
No, my context is entierly different. Don't focus on the example I gave.
What I need is to control at the DNS level which host can ask which name
resolution.
You could write your own DNS forwarding service which
can restrict them
:-).
Yes I could and I have investigated that as well. My best solution would
be to use Twisted. But it's not a trivial issue.
Did you take a look at sourceforge.net or
freshmeat.net for DNS
forwarding services?
Yes, but I didn't find anything yet.
Regards,
-pu
2:52 p.m.
Hello,
well, I looked at the bind documentation.
I think it is possible to work with it.
If you do define a special zone:
zone www.google.com {
type forward;
allow-query <address_match_list>;
forwarders <ip_address_of_dns_server_of_isp>;
}
For servers which should be able to look-up everything, I think you can
define this:
zone . {
type forward;
.....
}
http://www.isc.org/sw/bind/arm93/Bv9ARM.ch06.html#zone_statement_grammar
Play a little bit around, it should be possible....
Regards,
Michel
Patrick Useldinger schrieb:
Michel Kohl wrote:
A proxy server cannot handle DNS requests, it
only gets the DNS
addresses for requested URL from a users who wants to browse...
Unless it's a DNS proxy ;-) Proxy does not always mean http proxy, it
can be plenty of things.
But I do not really understand, why you only want
to restrict DNS usage?
Wouldn't it be easier to let the machines do the DNS lookup, but to
allow in the firewall only connections to google.com and yahoo.com?
No, my context is entierly different. Don't focus on the example I
gave. What I need is to control at the DNS level which host can ask
which name resolution.
You could write your own DNS forwarding service
which can restrict
them :-).
Yes I could and I have investigated that as well. My best solution
would be to use Twisted. But it's not a trivial issue.
Did you take a look at sourceforge.net or
freshmeat.net for DNS
forwarding services?
Yes, but I didn't find anything yet.
Regards,
-pu
3:24 p.m.
Michel Kohl wrote:
If you do define a special zone:
zone www.google.com {
type forward;
allow-query <address_match_list>;
forwarders <ip_address_of_dns_server_of_isp>;
}
I will try that and get back to you.
Thanks,
-pu
6878
days inactive
6878
days old
6 comments
2 participants
participants (2)
-
Michel Kohl -
Patrick Useldinger